Risk has been around a long time and is receiving a lot of press--most of it bad. For the last few years, attention has been excruciatingly focused on information security. However, the current market dislocation initiated in the subprime mortgage sector has dramatically shifted the spotlight away from information risk and back to the financial arena.
We're being showered by articles, warnings and dire forecasts concerning risk of some type or fashion--usually accompanied by predictions alluding to "the end of civilization as we know it." Personally, I think it's a bum rap. It's an image problem--a classic case of perception vs. reality with perception winning.
The great orator and American politico, Daniel Webster, defined risk as "the possibility of loss or injury; someone or something that creates or suggests a hazard; or the chance that an investment will lose value." Is it any wonder that risk has become the poster child for regulatory over-exuberance and risk aversion seems now to be the nom de guerre for financial management?
Part of the problem is that many have come to believe risk causes the problems and creates crises. But risk is a good thing. Risk is our friend. (Every morning as you drive to work, repeat that mantra three times.)
Credit unions are in the business of taking risk--prudently. If we didn't have risk on our balance sheets, where would we be? That's our job; that's how we serve our members; that's how we generate capital--by taking and managing risk. Without risk, we could not provide value. We would have no purpose. We would not survive. The key isn't to eliminate risk but to control it through sound risk management.
I want to make certain we understand the difference between two separate processes: risk management and situation management.
Risk management is a forward-thinking and ongoing process comprising five basic steps. These are the same in managing financial, operational or information risks. (It should be noted that none of these steps is called kill risk.)
Risk Identification. We need to know, within reason, the risks presented by our various endeavors. Not to be confused with impact, risk is an event, a cause--not a result. For example, a risk to our members' nonpublic information might be the possibility a hacker will exploit a weakness in our system to access and misuse that confidential data. A financial risk might be that greed drives both lenders and borrowers to artificially inflate the value of real estate by creating and fulfilling a demand through grossly imprudent lending practices, thereby triggering a mortgage-market meltdown and liquidity crisis. Sounds familiar?
Risk Measurement. The risk measurement formula (probability x impact) is a calculation of the potential result of a risk event. Probability is the likelihood of a risk event occurring. Impact is the cost of that event expressed quantitatively (dollars) or qualitatively (reputation) or by a combination of the two. Quantifying probability or impact may take some work and can be more art than science.
Risk Mitigation. Mitigation is simply the lessening of the potential result of a risk event by reducing the event's probability or impact. Mitigation can take many forms, based on the nature of the risk: physical access controls, firewalls, insurance, balance sheet diversification, pricing, etc. It's important to remember, though, that not every risk requires mitigation and no risk will be completely mitigated.
Risk Acceptance. The level of risk an institution can accept is a function of the amount of residual risk, the credit union's capital and the board of directors' risk-tolerance level. No matter what we do, there will be residual risk and at some point there will either be a deliberate acceptance of that risk or a strategic decision to forego the activity that gives rise to the risk.
Risk Monitoring. Monitoring is the ongoing process of identifying new risks as they arise and testing the effectiveness of mitigation controls on these and previously identified risks.
Situation management is the process of responding to a specific risk event when it occurs. This is where we are in terms of the current market dislocation.
Does the economic environment give cause for concern? Certainly. Will the next two to three years be a struggle for some, if not many, credit unions? Obviously. Will the events in the financial markets result in a sea change in the credit union regulatory environment? Perhaps. Will these struggles and changes rise to the level of a systemic crisis in the credit union movement? Unlikely.
The credit union movement is solid. And, as a whole, we are among the strongest capitalized institutions in the financial industry. Credit unions follow prudent loan and investment philosophies. And on balance, we're good risk managers. No doubt there will be some credit unions that experience significant difficulties. There may even be a few failures. But generally, credit unions aren't burdened with fallout from the types of decisions that are creating losses in giants such as Citigroup, Bear Stearns and Countrywide.
The specific steps each of us undertakes to manage this situation will vary depending on the nature and degree of exposure we have to the current market turmoil. However, there is one step we can all follow. Credit unions are strong and resilient, in part because of our prudent risk-management efforts. We should all make certain our members know it.
Now, let's say it again with feeling: Risk is our friend!